Home 零对冲(ZeroHedge)每日HackerNews

Show HN:一款命令行工具,用于检测虚假的 GitHub 星标、高风险依赖项和许可证陷阱
Show HN: CLI that spots fake GitHub stars, risky dependencies and licence traps

原始链接: https://github.com/m-ahmed-elbeskeri/Starguard

StarGuard是一个命令行工具,旨在自动化开源风险评估,其灵感来源于对虚假星标和日益增长的供应链攻击的研究。它帮助CTO、安全团队和风险投资公司快速评估开源项目。 StarGuard检查以下内容: * **虚假星标:** 检测非自然增长的星标数量,并分析星标用户的行为特征以识别机器人行为。 * **依赖风险:** 解析清单文件以识别未固定或隐藏的依赖项。 * **许可证问题:** 检测项目及其依赖项中存在的高风险或未知许可证。 * **维护者活动:** 评估贡献者的集中度、提交频率和不活跃程度。 * **代码信号:** 扫描潜在的恶意代码模式,例如代码混淆。 它以JSON、Markdown或纯文本格式输出报告,包括星标历史图和shields.io徽章。它使用GitHub API和各种解析器,并将结果组合成一个信任分数。StarGuard易于使用且可扩展,需要Python 3.9+和一个GitHub令牌以获得更高的速率限制。它仅执行静态分析,仅读取公共元数据,并且不存储任何个人数据。

StarGuard是由artski开发的一个命令行工具,旨在解决GitHub星标不可靠以及更广泛的供应链风险问题。受一项关于虚假星标的研究启发,StarGuard分析starred_at时间戳以检测突然激增,然后从这些激增中抽取用户帐户以确定“虚假星标指数”。它还识别诸如未固定依赖项、直接Git URL和许可证不一致等风险。该工具会标记异常的贡献者模式(例如,单个不活跃的维护者),并扫描代码中的危险信号,例如eval调用。所有这些数据都结合到一个“信任分数”中,显示在README徽章上,帮助用户快速评估仓库的健康状况,并对虚假星标行为进行处罚。虽然一些人对某些标记的重要性存在争议,例如单个维护者,但该工具提供了一种基于启发式方法的开源项目评估方法,旨在提供比原始星标数量更多的上下文信息。它使用GitHub API为用户提供见解。
相关文章
  • Show HN:NPM-Audit-to-Report 2025-03-23
  • Show HN:Pipask – 更安全的 pip,且不影响便利性 2025-05-03
  • 初创公司 CTO 手册 2023-10-23
  • Show HN:Cocommit——Git 提交的副驾驶 2025-03-26
  • (评论) 2025-03-26
    • 原文

    CLI tool to detect fake-star campaigns, dependency hijacks, licence red flags, and other signals of open-source risk.
    Inspired by the 4.5 million fake stars study, StarGuard helps CTOs, security teams, and VCs automate open-source due diligence in seconds.

    • Fake stars are rampant. Research shows botnets and paid campaigns artificially inflate repo popularity.
    • Supply chain attacks are rising. Malicious packages and licence traps easily reach production.
    • Manual review doesn’t scale. StarGuard distills key public signals into a trust score — fast, repeatable, and extensible.
    Category What StarGuard Checks
    Stars Burst detection (MAD + heuristics), bot-likeness profiling, Fake Star Index, trust badge generation.
    📦 Dependencies SBOM / manifest parsing across npm, PyPI, Maven, Go, Ruby; flags unpinned, shadow, or non-registry deps.
    Licences Detects unknown or high-risk licences (GPL/AGPL flags), scans both repo and direct deps.
    🛠 Maintainers Contributor concentration, commit cadence, inactivity warnings.
    🧪 Code Signals Pattern scans for obfuscation, remote exec, crypto-mining, or data exfiltration hints.
    📤 Outputs JSON, Markdown, plaintext reports; PNG star-history plots; shields.io badge embed.
    1. GitHub API/GraphQL – collects stars, forks, issues, traffic stats.
    2. BurstDetector – sliding window MAD algorithm + rules to catch inorganic star spikes.
    3. User Profiler – samples stargazers, checks account age, avatar, follower count, repo history.
    4. Dependency & Licence Parsers – uses API or file-based fallback.
    5. Scoring Engine – normalises components, applies weighted trust scoring + Fake-Star penalty.
    flowchart TD
    GH[GitHub API] --> Collectors
    Collectors -->|Star, forks, issues| Analyzers
    MF[Manifest files] --> Parser
    Analyzers --> ScoreCombiner
    Parser --> ScoreCombiner
    ScoreCombiner -->|Report / Badge / API| Output
    Loading
    • Python ≥ 3.9
    • GitHub Personal Access Token (for high-rate limits)
    export GITHUB_TOKEN=ghp_xxxxxxxxx

# Full scan with star plot
python starguard.py pytorch/pytorch --format markdown --plot stars.png

# Burst-only fast scan
python starguard.py https://github.com/vercel/next.js --burst-only
    python starguard.py OWNER/REPO [options]

Options:
  -t, --token TEXT                GitHub token (or set GITHUB_TOKEN env)
  -f, --format [text|json|markdown]  Output format (default: text)
  -o, --output FILE              Write report to file
  --plot FILE                    Save star-history PNG
  --no-fake-stars                Skip Fake-Star analysis
  --burst-only                   Only run burst detection
  -v, --verbose                  Enable debug logging
    • CTOs – Gate open-source additions during review.
    • Security Teams – Schedule scans, integrate with security reviews.
    • VCs – Rapid diligence on "10k stars" developer tools.
    • Open-Source Maintainers – Show a StarGuard badge for transparency.
    1. Fork and branch
    2. Run make test
    3. Open a PR with small, focused commits
    • Only public metadata read (unless token provided)
    • No code is executed; only static analysis
    • Stores no personal data or credentials

    Apache License 2.0 © 2025 StarGuard contributors

    联系我们 contact @ memedata.com